US10142301B1ActiveUtility

Encrypted data delivery without intervening decryption

93
Assignee: AMAZON TECH INCPriority: Sep 17, 2014Filed: Sep 17, 2014Granted: Nov 27, 2018
Est. expirySep 17, 2034(~8.2 yrs left)· nominal 20-yr term from priority
H04L 9/0816H04L 63/0478H04L 63/0428H04L 63/123H04L 2463/062G06F 21/606H04L 9/0841H04L 9/3242H04L 9/0894H04L 9/0825
93
PatentIndex Score
18
Cited by
33
References
27
Claims

Abstract

Multiple communications that encode data are encrypted for transit from one entity to the other. An entity receiving the communications decrypts at least some of the communications to determine how to process the communications. As part of processing the communications, the entity receiving the communications provides at least some of the encrypted communications to a data storage system without reencrypting those communications.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method, comprising:
 establishing a secure communications channel with a second computer system, resulting in session information that includes a cryptographic key usable to decrypt encrypted records received over the secure communications channel; 
 receiving, over the secure communications channel, a sequence of encrypted records, wherein individual records of the sequence of encrypted records are decryptable using the cryptographic key; 
 decrypting, using the cryptographic key, a first subsequence of the sequence of encrypted records to form a decrypted first subsequence; and 
 as a result of determining that the decrypted first subsequence indicates a request to store a second subsequence, distinct from the first subsequence, of the sequence of encrypted records, providing the second subsequence and the cryptographic key to a data storage system, thereby causing the second subsequence and the cryptographic key to be stored, the cryptographic key usable to decrypt the sequence. 
 
     
     
       2. The computer-implemented method of  claim 1 , wherein the second subsequence and the cryptographic key are stored without the second subsequence having been decrypted using the cryptographic key between receiving the sequence of encrypted records and providing the second subsequence to the data storage system. 
     
     
       3. The computer-implemented method of  claim 1 , wherein:
 establishing the secure communications channel comprises performing a handshake of a protocol that has a handshake protocol and a record protocol; and 
 the sequence of encrypted records comprises individual records formatted in accordance with the record protocol. 
 
     
     
       4. The computer-implemented method of  claim 1 , wherein the first subsequence encodes at least part of a request to store data encoded in the second subsequence. 
     
     
       5. The computer-implemented method of  claim 1 , wherein determining the second subsequence comprises:
 obtaining, from the decrypted first subsequence, information that indicates a size of a data object to be stored; and 
 calculating, based at least in part on the information obtained, a range of records that encodes the data object, wherein the second subsequence contains the range of records calculated. 
 
     
     
       6. A system, comprising:
 one or more processors; and 
 memory including instructions that, as a result of execution by the one or more processors, cause the system to:
 receive a set of encrypted communications, wherein individual communications of the set of encrypted communications are decryptable using a cryptographic key; 
 decrypt, using the cryptographic key, a first subset of the set of encrypted communications to form a decrypted first subset; and 
 as a result of determining that the decrypted first subset of the set of encrypted communications indicates an operation to be performed on a second subset, distinct from the first subset, of the set of encrypted communications, provide the second subset and the cryptographic key. 
 
 
     
     
       7. The system of  claim 6 , wherein the cryptographic key is a symmetric cryptographic key. 
     
     
       8. The system of  claim 6 , wherein:
 the set of encrypted communications is a sequence of encrypted communications; 
 the first subset of the set of encrypted communications is a first subsequence of the sequence; and 
 the second subset of the set of encrypted communications is a second subsequence of the sequence. 
 
     
     
       9. The system of  claim 6 , wherein the first subset of the set of encrypted communications and the second subset of the set of encrypted communications have a nonempty intersection. 
     
     
       10. The system of  claim 6 , wherein the instructions cause the system to determine the second subset of the set of encrypted communications by causing the system to:
 obtain information about the second subset of the set of encrypted communications from the decrypted first subset; and 
 use the information obtained to determine the second subset from the set of encrypted communications. 
 
     
     
       11. The system of  claim 6 , wherein the instructions that cause the system to produce the decrypted first subset cause the system to decrypt communications until the system detects a header of a request to store data. 
     
     
       12. The system of  claim 6 , wherein the set of encrypted communications:
 comprises communications formatted in accordance with a first protocol; and 
 encodes a request formatted in accordance with a second protocol different from the first protocol. 
 
     
     
       13. The system of  claim 6 , wherein the instructions, as a result of execution by the one or more processors, cause the system to perform a handshake process with another computer system to determine the cryptographic key. 
     
     
       14. The system of  claim 6 , wherein:
 the instructions further cause the system to:
 establish a secure communication channel with a sender of the set of encrypted communications; and 
 negotiate, as at least a part of a process of establishing the secure communications channel, the cryptographic key; and 
 
 the set of encrypted communications are received over the secure communication channel from the sender. 
 
     
     
       15. The system of  claim 6 , wherein the instructions that cause the system to provide the second subset cause the system to provide, without decrypting, the second subset of the set of encrypted communications and the cryptographic key to a data storage system. 
     
     
       16. The system of  claim 6 , wherein the encrypted communications are formatted in accordance with a transport layer security record protocol. 
     
     
       17. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
 decrypt, using session information that includes a cryptographic key, at least a first subset of a set of encrypted communications to determine that the set of encrypted communications collectively encodes a request and data; and 
 as a result of determining that the set of encrypted communications collectively encodes the request, fulfill the request by, without further decrypting the set of encrypted communications, providing:
 a second subset of the set of encrypted communications that contains the data; and 
 the cryptographic key, the cryptographic key usable to decrypt the second subset. 
 
 
     
     
       18. The non-transitory computer-readable storage medium of  claim 17 , wherein the executable instructions further comprise instructions that cause the computer system to negotiate session information with a sender of the set of encrypted communications. 
     
     
       19. The non-transitory computer-readable storage medium of  claim 18 , wherein the executable instructions that cause the computer system to provide at least the second subset of the set of encrypted communications further cause storage of at least the second subset of the set of encrypted communications and the cryptographic key. 
     
     
       20. The non-transitory computer-readable storage medium of  claim 17 , wherein the executable instructions further comprise instructions that cause the computer system to:
 decrypt the second subset of the set of encrypted communications to produce a decrypted second subset; and 
 verify integrity of data encoded by the decrypted second subset. 
 
     
     
       21. The non-transitory computer-readable storage medium of  claim 17 , wherein the executable instructions further include instructions that cause the computer system to form the first subset of the set of encrypted communications by decrypting communications until determined that the first subset of the set of encrypted communications contains sufficient information to determine how to fulfill the request. 
     
     
       22. The non-transitory computer-readable storage medium of  claim 17 , wherein the second subset of the set of encrypted communications comprises at least one communication that was decrypted by the computer system. 
     
     
       23. The non-transitory computer-readable storage medium of  claim 17 , wherein:
 the second subset of the set of encrypted communications comprises multiple subsets that individually correspond to different data objects; and 
 the executable instructions that cause the computer system to fulfill the request, as a result of execution by the one or more processors, cause the computer system to transmit the second subset of the set of encrypted communications such that the multiple subsets are stored as individual data objects. 
 
     
     
       24. The non-transitory computer-readable storage medium of  claim 17 , wherein the executable instructions that cause the computer system to fulfill the request, further cause the computer system to fulfill the request without decrypting at least one communication from the second subset of the set of encrypted communications. 
     
     
       25. The non-transitory computer-readable storage medium of  claim 17 , wherein the set of encrypted communications are records formatted in accordance with a record protocol. 
     
     
       26. The non-transitory computer-readable storage medium of  claim 17 , wherein the executable instructions further include instructions that cause the computer system to verify integrity of the data without decrypting at least a portion of the data. 
     
     
       27. The non-transitory computer-readable storage medium of  claim 17 , wherein the cryptographic key is a private key of a public/private key pair.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.